Finding website vulnerabilities follows four stages: reconnaissance, scanning, exploitation, and remediation. Each stage has dedicated tools. The easiest way to run them is from Kali Linux — a penetration testing distribution that ships with everything pre-installed.
Tools for Penetration Testing
| Tool | Stage | Purpose | Cost |
|---|---|---|---|
| Nmap | Reconnaissance | Port and service scanning | Free |
| Nikto | Scanning | Web server vulnerability checks | Free |
| WPScan | Scanning | WordPress security auditing | Free / Paid |
| Burp Suite | Scanning | HTTP traffic interception and analysis | Community / Pro |
| OWASP ZAP | Scanning | Automated vulnerability scanning | Free |
| Nuclei | Scanning | Template-based vulnerability detection | Free |
| SQLMap | Exploitation | SQL injection testing | Free |
| Metasploit | Exploitation | Exploitation framework | Community / Pro |
These tools are the industry standard for web application security testing. Most ship pre-installed in Kali Linux — the current release is Kali 2024.4.
Stage 1: Reconnaissance
The goal here is to understand what's exposed from the outside: which ports are listening, which services are running, and what information about the system is available without any credentials.
Port Scanning with Nmap
Nmap is the standard tool for network scanning. A basic scan lists open ports:
nmap -sS 192.168.1.100
An intensive scan adds service versions, OS detection, and basic script results:
nmap -A 192.168.1.100
The output shows open ports, service versions, and early vulnerability signals — weak FTP passwords, outdated SSH, exposed admin interfaces.
Gathering Open Source Intelligence
While scanning, check what's publicly known about the target:
- WHOIS — domain registration data, registrar, and contact information
- Recon-ng — automated OSINT framework built into Kali Linux
- Netcraft — subdomain enumeration, hosting history
- hackertarget.com/reverse-ip-lookup — other sites sharing the same IP address
The more data you collect during reconnaissance, the more targeted your scanning will be.
Stage 2: Scanning
At this stage, tools simulate attacks to surface weaknesses. Important caveat: fuzzing and active scanning generate significant traffic — intrusion detection systems will notice. Only scan infrastructure you own or have written authorization to test.
Nikto — Web Server Scanner
Nikto checks a web server for common vulnerabilities: exposed configuration files, outdated components, insecure headers. Works against any site and requires no source code access:
nikto -h https://example.com
Nikto produces many false positives — treat each result as a lead to investigate manually, not a confirmed vulnerability.
WPScan — WordPress Auditing
If the site runs WordPress, WPScan checks the core version, plugins, and themes against a database of known vulnerabilities:
wpscan --url https://example.com --enumerate p,t,u
The --enumerate p,t,u flag lists plugins, themes, and user accounts. WPScan is particularly valuable for sites with many plugins — that's where most WordPress compromises originate.
Nuclei — Template-Based Scanning
Nuclei is a modern scanner that checks against thousands of community-maintained templates covering CVEs, misconfigurations, and vulnerable components. Faster and more actively maintained than many traditional scanners:
nuclei -u https://example.com
Update templates before scanning to catch the latest vulnerabilities:
nuclei -update-templates
Burp Suite and OWASP ZAP — HTTP Traffic Analysis
Burp Suite intercepts browser requests, letting you modify parameters and hunt for XSS, CSRF, IDOR, and other logic-level vulnerabilities. The Community edition is free. OWASP ZAP is a fully free alternative with comparable capabilities.
Both tools work as browser proxies. Configure your browser to route traffic through 127.0.0.1:8080, and every request passes through the tool for inspection and modification.
SQLMap — SQL Injection Testing
SQLMap automatically tests parameters for SQL injection vulnerabilities:
sqlmap -u "https://example.com/?id=1" -p id
Specify the database type to speed things up:
sqlmap -u "https://example.com/?id=1" -p id --dbms=MySQL
Stage 3: Exploitation
Exploitation is optional — only needed when you have to demonstrate the real-world impact of a vulnerability. Never exploit vulnerabilities against production systems. Use a virtual machine or a dedicated test environment instead.
SQLMap goes beyond detection: it can extract database contents, enumerate tables, and retrieve credentials from injectable endpoints.
Metasploit is a full exploitation framework with thousands of ready-to-use exploits for services, plugins, and operating systems. Use in an isolated environment only:
msfconsole
Stage 4: Remediation
Once vulnerabilities are found, prioritize and fix them. Use the OWASP Top 10 as a reference — the list of the ten most critical web application vulnerabilities, updated periodically.
Prioritization order: remote code execution and full server takeover vulnerabilities get fixed immediately. Data exposure and SQL injection within 24-48 hours. Misconfigurations and outdated components in the next planned maintenance window.
Run your scans again after patching to confirm the issues are actually closed.
Frequently Asked Questions
How do I scan a website for vulnerabilities for free?
Use Kali Linux, which ships with a full suite of free tools pre-installed: Nmap for port scanning, Nikto for web server checks, WPScan for WordPress sites, and OWASP ZAP for HTTP traffic analysis. All are open source and free to use against your own infrastructure.
Is penetration testing legal?
Penetration testing is legal only against infrastructure you own or have explicit written authorization to test. Scanning systems without permission violates computer crime laws in most jurisdictions, regardless of intent.
What is Kali Linux and why do pen testers use it?
Kali Linux is a Debian-based distribution purpose-built for penetration testing and security research. It ships with hundreds of pre-installed security tools, so you don't have to track down and configure each one manually. It can run from a USB drive without installation or be deployed as a full system.
How often should I scan my website for vulnerabilities?
At minimum, quarterly and after any significant change: hosting migrations, CMS updates, new plugin installations. Commercial sites handling user data benefit from automated weekly scans using tools like Nuclei to catch newly disclosed CVEs as they're published.
What's the difference between Nuclei and Nikto?
Nikto is a classic scanner focused on web server configuration and known server-side issues. Nuclei uses a template-based approach covering thousands of CVEs, cloud misconfigurations, and vulnerable APIs — and the template library is updated by the community daily. For modern applications and APIs, Nuclei is typically faster and more comprehensive.
Security testing works best on isolated infrastructure — so you're not running attack tools against a live production environment. A VPS on THE.Hosting deploys in 60 seconds across 50+ locations: spin up a clean Kali Linux machine, run your tests, and tear it down when you're done. Plans start at €5.77/month.